Doman Name Server (DNS) records of Go Daddy-hosted websites have been compromised, potentially placing many at risk of being infected with malware known as ransomware.
By hacking DNS records, cyber crooks have been able to add one or more subdomains with corresponding DNS entries, so some visitors who access affected webpages are sent to malicious websites. Where hackers tricked people into visiting those subdomains, malware may have been downloaded onto victims’ machines. Such attacks are good at getting around security protections.
“The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers,” a blog post from security firm Sophos read. “This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.”
Normally, as illustrated, victims can see they are at the wrong site, using the IP address, but this attack has apparently got round that.
From there, code runs, and exploit kit called ‘Cool’ is deployed and ransomware installed.
The ransomware served depends on the country of origin. In the UK, it is malware posing as a legitimate message from the Met’s Police e-Crime Unit (PCeU). It locks the computer, on the grounds that the computer was guilty of “unauthorised cyberactivity”, asking for payment to unlock it.
It remains unclear how the Go Daddy DNS records were hacked. The company had not responded to a request for comment at the time of publication.
Sophos suggested a likely cause was compromised user credentials, but was unable to check this as Go Daddy does not allow users to check historical login activity. “Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let’s hope Go Daddy change their stance on this,” the security firm added.
“Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security.
“Users should not be allowed to use weak passwords. Two-factor authentication should be readily available, if not enforced.” Sophos has also contacted Go Daddy about the attacks.
In September, it was rumoured Go Daddy had been hacked, but the company said downtime was due to “a series of internal network events that corrupted router data tables”.
Think you’re a security pro? Try our quiz!
After axing 31 percent of its workforce when it failed to be acquired by Amazon,…
Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…
Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…
New AI assurance platform from UK government will help businesses ensure they can safely develop…
Protecting kids? Australian government confirms plan to implement restriction on social media for children under…
Canada ordered China's TikTok business in the country to be dissolved over national security risks,…
View Comments
You may be interested that right now, i'm on the phone with GoDaddy regarding this very same issue..
my site http://www.foundersgyan.com has been injected with several subdomain entires
28j.foundersgyan.com/
7ot.foundersgyan.com/
etc.
All of these are being redirected to http://185.38.184.156 which is being blocked by my Anti-virus.
I'm pretty sure GoDaddy is not going to comment on this and just will solve the issue again without further action